Your success in Isaca CISA is our sole target and we develop all our CISA braindumps in a way that facilitates the attainment of this target. Not only is our CISA study material the best you can find, it is also the most detailed and the most updated. CISA Practice Exams for Isaca CISA are written to the highest standards of technical accuracy.

Q91. - (Topic 1)

How is the risk of improper file access affected upon implementing a database system?

When participating in a systems-development project, an IS auditor should focus on system controls rather than ensuring that adequate and complete documentation exists for all projects. True or false?

A. True

B. False

Answer: B

Explanation: When participating in a systems-development project, an IS auditor should also strive to ensure that adequate and complete documentation exists for all projects.

Q93. - (Topic 1)

What process allows IS management to determine whether the activities of the organization differ from the planned or expected levels? Choose the BEST answer.

A. Business impact assessment

B. Risk assessment

C. IS assessment methods

D. Key performance indicators (KPIs)

Answer: C

Explanation: IS assessment methods allow IS management to determine whether the activities of the organization differ from the planned or expected levels.

Q94. - (Topic 1)

After identifying potential security vulnerabilities, what should be the IS auditor's next step?

A. To evaluate potential countermeasures and compensatory controls

B. To implement effective countermeasures and compensatory controls

C. To perform a business impact analysis of the threats that would exploit the vulnerabilities

D. To immediately advise senior management of the findings

Answer: C

Explanation: After identifying potential security vulnerabilities, the IS auditor's next step is to perform a business impact analysis of the threats that would exploit the vulnerabilities.

Q95. - (Topic 2)

Which of the following would be the BEST population to take a sample from when testing program changes?

A. Test library listings

B. Source program listings

C. Program change requests

D. Production library listings

Answer: D

Explanation:

The best source from which to draw any sample or test of system information is the automated system. The production libraries represent executables that are approved and authorized to process organizational datA. Source program listings would be timeintensive. Program change requests are the documents used to initiate change; there is no guarantee that the request has been completed for all changes. Test library listings do not represent the approved and authorized executables.

Q96. - (Topic 4)

An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:

A. a backup server be available to run ETCS operations with up-to-date data.

B. a backup server be loaded with all the relevant software and data.

C. the systems staff of the organization be trained to handle any event.

D. source code of the ETCS application be placed in escrow.

Answer: D

Explanation:

Whenever proprietary application software is purchased, the contract should provide for a source code agreement. This will ensure that the purchasing company will have the opportunity to modify the software should the vendor cease to be in business.Having a backup server with current data and staff training is critical but not as critical as ensuring the availability of the source code.

Q97. - (Topic 1)

Mitigating the risk and impact of a disaster or business interruption usually takes priority over transference of risk to a third party such as an insurer. True or false?

A. True

B. False

Answer: A

Explanation: Mitigating the risk and impact of a disaster or business interruption usually takes priority over transferring risk to a third party such as an insurer.

Q98. - (Topic 1)

What is an edit check to determine whether a field contains valid data?

A. Completeness check

B. Accuracy check

C. Redundancy check

D. Reasonableness check

Answer: A

Explanation: A completeness check is an edit check to determine whether a field contains valid datA.

Q99. - (Topic 1)

When should application controls be considered within the system-development process?

A. After application unit testing

B. After application module testing

C. After applications systems testing

D. As early as possible, even in the development of the project's functional specifications

Answer: D

Explanation: Application controls should be considered as early as possible in the system-development process, even in the development of the project's functional specifications.

Q100. - (Topic 1)

If a database is restored from information backed up before the last system image, which of the following is recommended?

A. The system should be restarted after the last transaction.

B. The system should be restarted before the last transaction.

C. The system should be restarted at the first transaction.

D. The system should be restarted on the last transaction.

Answer: B

Explanation: If a database is restored from information backed up before the last system image, the system should be restarted before the last transaction because the final transaction must be reprocessed.

Q101. - (Topic 3)

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:

A. meets or exceeds industry security standards.

B. agrees to be subject to external security reviews.

C. has a good market reputation for service and experience.

D. complies with security policies of the organization.

Answer: B

Explanation:

It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify orprove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.

Q102. - (Topic 1)

Digital signatures require the sender to "sign" the data by encrypting the data with the sender's public key, to then be decrypted by the recipient using the recipient's private key. True or false?

A. False

B. True

Answer: B

Explanation: Digital signatures require the sender to "sign" the data by encrypting the data with the sender's private key, to then be decrypted by the recipient using the sender's public key.

Q103. - (Topic 2)

An IS auditor is performing an audit of a remotely managed server backup. The IS auditor reviews the logs for one day and finds one case where logging on a server has failed with the result that backup restarts cannot be confirmed. What should the auditor do?

A. Issue an audit finding

B. Seek an explanation from IS management

C. Review the classifications of data held on the server

D. Expand the sample of logs reviewed

Answer: D

Explanation:

Audit standards require that an IS auditor gather sufficient and appropriate audit evidence. The auditor has found a potential problem and now needs to determine if this is an isolated incident or a systematic control failure. At this stage it is too preliminary to issue an audit finding and seeking an explanation from management is advisable, but it would be better to gather additional evidence to properly evaluate the seriousness of the situation. A backup failure, which has not been established at this point, will be serious if it involves critical datA. However, the issue is not the importance of the data on the server, where a problem has been detected, but whether a systematic control failure that impacts other servers exists.

Q104. - (Topic 1)

Who should be responsible for network security operations?

A. Business unit managers

B. Security administrators

C. Network administrators

D. IS auditors

Answer: B

Explanation: Security administrators are usually responsible for network security operations.

Q105. - (Topic 1)

Which of the following processes are performed during the design phase of the systemsdevelopment life cycle (SDLC) model?

A. Develop test plans.

B. Baseline procedures to prevent scope creep.

C. Define the need that requires resolution, and map to the major requirements of the solution.

D. Program and test the new system. The tests verify and validate what has been developed.

Answer: B

Explanation: Procedures to prevent scope creep are baselined in the design phase of the systems-development life cycle (SDLC) model.